Recently, bug-bounty programs have gained popularity and become a significant part of the security culture of many organizations. Bug-bounty programs enable organizations to enhance their security posture by harnessing the diverse expertise of crowds of external security experts (i.e., bug hunters). Nonetheless, quantifying the benefits of bug-bounty programs remains elusive, which presents a significant challenge for managing them. Previous studies focused on measuring their benefits in terms of the number of vulnerabilities reported or based on the properties of the reported vulnerabilities, such as severity or exploitability. However, beyond these inherent properties, the value of a report also depends on the probability that the vulnerability would be discovered by a threat actor before an internal expert could discover and patch it. In this paper, we present a data-driven study of the Chromium and Firefox vulnerability-reward programs. First, we estimate the difficulty of discovering a vulnerability using the probability of rediscovery as a novel metric. Our findings show that vulnerability discovery and patching provide clear benefits by making it difficult for threat actors to find vulnerabilities; however, we also identify opportunities for improvement, such as incentivizing bug hunters to focus more on development releases. Second, we compare the types of vulnerabilities that are discovered internally vs. externally and those that are exploited by threat actors. We observe significant differences between vulnerabilities found by external bug hunters, internal security teams, and external threat actors, which indicates that bug-bounty programs provide an important benefit by complementing the expertise of internal teams, but also that external hunters should be incentivized more to focus on the types of vulnerabilities that are likely to be exploited by threat actors.

翻译：近年来，漏洞奖励计划日益普及，已成为众多组织安全文化的重要组成部分。这类计划通过汇集外部安全专家（即漏洞猎人）的多元化专业知识，帮助组织提升安全防御能力。然而，量化漏洞奖励计划的效益仍存在困难，这对计划管理构成了重大挑战。以往研究主要从已报告漏洞数量或漏洞严重性、可利用性等固有属性角度衡量其价值。但除固有属性外，漏洞报告的价值还取决于该漏洞被威胁行为者发现的时间——是在内部专家发现并修补之前还是之后。本文对Chromium和Firefox的漏洞奖励计划开展了数据驱动研究。首先，我们以"重发现概率"作为创新指标评估漏洞发现难度。研究表明，漏洞发现与修补通过增加威胁行为者发现漏洞的难度创造了显著价值；同时我们也识别出改进空间，例如应激励漏洞猎人更多关注开发版本。其次，我们对比了内部发现与外部发现的漏洞类型差异，以及被威胁行为者实际利用的漏洞特征。研究发现，外部漏洞猎人、内部安全团队与外部威胁行为者发现的漏洞类型存在显著差异：这表明漏洞奖励计划通过补充内部团队专业能力提供了重要价值，但也需进一步激励外部猎人聚焦于更可能被威胁行为者利用的漏洞类型。